Amazon Cognito has a number of system-reserved scopes:
But doesn't document what they give access to.
The first 3 are fairly self-explanatory. I would expect profile to mean the user profile.
I've found by trial-and-error that I need aws.cognito.signin.user.admin
to use the Amazon Cognito Get User API call. I would have expected this to be profile
instead, but OK, fine.
What I'm concerned about is what else aws.cognito.signin.user.admin
might do. If I let 3rd party clients request this scope, what am I giving them access to?
The aws.cognito.signin.user.admin
scope gives you access to all the User Pool APIs that can be accessed using access tokens alone (full documentation here).
Note that this doesn't mean that the user would have arbitrary access to all the AWS API (like an IAM role might), but that if the request syntax for that API call includes "AccessToken": "string"
, then an access token granted using aws.cognito.signin.user.admin
will be able to call it.
As a rule, the Cognito UserPools API's (and it's only Cognito UserPool APIs) that authorise like this are ones that allow you to modify something on your own UserPools profile (i.e. do not start with Admin
and affect a single profile):
At a glance through the API, these actions are (https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_Operations.html):